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METHOD FOR ESTABLISHING A KEY 
USING OVER-THE-AIR COMMUNICATION 
AND PASSWORD PROTOCOL AND 
PASSWORD PROTOCOL 

5 

RELATED APPLICATIONS 

The following applications, filed concurrently with the 
subject application, are related to the subject application and 
are hereby incorporated by reference in their entirety: appli- 
cation no. unknown entitled METHOD FOR TWO PARTY 
AUTHENTICATION AND KEY AGREEMENT by one of 
the inventors of the subject application; application no. 
unknown entitled METHOD FOR UPDATING SECRET 
SHARED DATA IN A WIRELESS COMMUNICATION J5 
SYSTEM by one of the inventors of the subject application; 
application no. unknown entitled METHOD FOR TRANS- 
FERRING SENSITIVE INFORMATION USING 
INTIALLY UNSECURED COMMUNICATION by one of 
the inventors of the subject application; and application no. 
unknown entitled METHOD FOR SECURING OVER- 
THE-AIR COMMUNICATION IN A WIRELESS SYS- 
TEM by one of the inventors of the subject application. 

BACKGROUND OF THE INVENTION 

25 

1. Field of the Invention 

The present invention relates to a password protocol and 
a method for establishing a key using over-the-air commu- 
nication and, in one embodiment, the password protocol. 

2. Description of Related Art 30 
In a wireless communication system, the handsets, often 

called mobiles, purchased by mobile users are typically 
taken to a network service provider, and long keys and 
parameters are entered into the handset to activate service. 35 
The network of the service provider also maintains and 
associates with the mobile, a copy of the long keys and 
parameters for the mobile. As is well-known, based on these 
long keys and parameters, information can be securely 
transferred between the network and the mobile over the air. An 

40 

Alternatively, the user receives long keys from the service 
provider over a secure communication channel, like a 
telephone/land line, and must manually enter these codes 
into the mobile. 

Because the transfer of the long keys and parameters is 45 
performed via a telephone/land line or at the network service 
provider as opposed to over the air, the transfer is secure 
against over the air attacks. However, this method of 
securely transferring information places certain burdens and 
restrictions on the mobile user. Preferably, the mobile user 50 
should be able to buy their handsets and then get service 
from any service provider without physically taking the 
handsets to the provider's location or having to manually, 
and error free, enter long keys into the mobile. The capa- 
bility to activate and provision the mobile remotely is part of 5s 
the North American wireless standards, and is referred to as 
"over the air service provisioning" (OTASP). 

Currently, the North American Cellular standard IS41-C 
specifics an OTASP protocol using the well-known Diffc- 
Ilellman (DH) key agreement for establishing a secret key 60 
between two parties. FIG. 1 illustrates the application of the 
DH key agreement to establishing a secret key between a 
mobile 20 and a network 10 used in IS41-C. Namely, FIG. 
1 shows, in a simplified form for clarity, the communication 
between a network 10 and a mobile 20 according to the DH 65 
key agreement. As used herein, the term network refers to 
the authentication centers, home location registers, visiting 
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location registers, mobile switching centers, and base sta- 
tions operated by a network service provider. 

The network 10 generates a random number RN, and 
calculates (g^ mod p). As shown in FIG. 1, the network 
10 sends a 512-bit prime number p, the generator g of the 
group generated by the prime number p, and (g A Rjv mod p) 
to the mobile 20. Next, the mobile 20 generates a random 
number R^, calculates (g A R M mod p), and sends (gR M m °d 
p) to the network 10. 

The mobile 20 raises the received (g A R^ mod p) from the 
network 10 to the power R M to obtain (g^R^R^ mod p)- Th e 
network 10 raises the received (g'R^ mod p) from the 
mobile 20 to the power R^ to also obtain (g^R^Rjv m °d P)- 
Both the mobile 20 and the network 10 obtain the same 
result, and establish the 64 least significant bits as the 
long-lived key called the A-key. The A-key serves as a root 
key for deriving other keys used in securing the communi- 
cation between the mobile 20 and the network 10. 

One of the problems with the DH key exchange is that it 
is unauthenticated and susceptible to a man -in -the -middle 
attack. For instance, in the above mobile-network two party 
example, an attacker can impersonate the network 10 and 
then in tum impersonate the mobile 20 to the network 10. 
This way the attacker can select and know the A-key as it 
relays messages between the mobile 20 and the network 10 
to satisfy the authorization requirements. The DH key 
exchange is also susceptible to off-line dictionary attacks. 

Another well-known protocol for protecting the over-the- 
air transfer of information, such as the A-key, is the Diffe- 
Hellman Encrypted Key Exchange (DH-EKE). DH-EKE is 
a password based protocol for exchanging information, and 
assumes that both the mobile user and the network service 
provider have established a password prior to the over-the- 
air transfer. Unlike the DH key exchange system discussed 
with respect to FIG. 1, the DH-EKE protects against man- 
in-the-middle attacks and off-line dictionary attacks. 

The DH-EKE will be described with respect to FIG. 2, 
which illustrates the communication between the mobile 20 
and the network 10 according to the DH-EKE protocol. As 
shown, the mobile 20 sends a 512-bit prime number p and 
the generator g to the network 10 along with (g^R^ mod p) 
encrypted according to an encryption/decryption algorithm 
ENC using the password P, known to the mobile user and the 
network 10, as the encryption key. This calculation is 
represented as ENC^ (g^R^ mod p). The network 10 
decrypts (g~R M mod p) using the password P, and calculates 
(gR M mod p)*R^, which equals (g^R^R^ mod p). The 
network 10 selects (g A Rjv/R^ mod p), a hash of this value, or 
some portion thereof as a session key SK. 

The network 10 then sends (g A R N mod p) encrypted 
according to ENC using the password P and a random 
number R# encrypted according to ENC using the session 
key SK to the mobile 20. The mobile 20 decrypts (g~R jV mod 
p) using the password P, and calculates (g A R w mod pyR M , 
which equals (g^R^R^ mod p). Then, the mobile 20 selects 
(g'R^R^ mod p), the hash thereof, or a portion thereof as did 
the network 10 as the session key SK. Using the session key 
SK, the mobile 20 then decrypts R N \ 

Next, the mobile 20 generates a random number R M \ 
encrypts the random numbers R M ' and R^' according to ENC 
using the session key SK, and sends the encrypted random 
numbers R^' and R^' to the network 10. The network 10 
decrypts the random numbers R^ 1 and R M ' using the session 
key SK, and determines whether the decrypted version of 
R^' equals the version of R^' originally sent to the mobile 
20. The session key SK is verified by the network 10 when 
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the decrypted version of R^' equals the version of R„ be described as applied to a wireless system. Namely, 

originally sent to the mobile 20, establishing a key between a mobile 20 and a network 10 

The network 10 then sends the random number R M * using both a telephone/land line 30 and, according to one 

encrypted according to ENC using the session key SK to the embodiment, a password protocol will be described, 

mobile 20. The mobile 20 decrypts the random number R^' 5 FIG. 3 illustrates the communication between (1) the 

using the session key SK, and determines whether the network provider and the network 10, collectively referred 

calculated version of R M ' equals the version of R M ' origi- to as the network 10, and (2) a mobile user via a telephone/ 

nally sent to the network 10. The session key SK is verified land line 30 and the mobile 20 according to a first embodi- 

by the mobile 20 when the decrypted version of R M < equals ment of the present invention. As shown, via the telephone/ 

the version of R^' originally sent to the network 10. 10 land line 30 a mobile ^ Provides the network 10 with 

Once the network 10 and the mobile 20 have verified the authorizing information (e.g., credit card information for 

session key SK, the session key SK is used as the A-key, and b f n g V^o^l ^ the network 10 accepts the authorizing 

/, J , ~ A , . \ia information, the network 10 provides the mobile user with 

communication between the mobile 20 and the network 10 a fouf (4) ^ p y £ ^ telephone/land line 30 . It 

is reconfigured using the A-key. should ^ howeverj that the passw0 rd P may be more or less 

While the DH-EKE protocol eliminates man-in-the- 15 t j ian f Qur 

middle and off-line dictionary attacks, information may still Tne mobile user then enters lhis SQOrt ord p int0 the 

leak, and an attacker may recover the password R mobile 2Q ^ paft Qf afi activation program< Using a random 

SUMMARY OF THE PRESENT INVENTION number generator, the mobile 20 generates a random number 

In the password protocol, the communicating parties 20 R^, and using a pre-stored 512-bit prime number p and the 

exchange calculation results, which each include an generator g of me group generated by the pnme number p, 

exponential, to generate a key. In generating the calculation calculates ((g R^P) mod p). 

results, each party adds the password to their respective Th e mobile 20 sends the prime number p and the gen- 
exponential. If the authorizing information previously sent erator g to the network 10 along with ((g'R^P) mod p). 
by one party is acceptable to the other party, then this other 25 Because ((g^R^P) mod P) equals (g'R^ mod p)+(P mod p) 
party uses the key established according to the password and the network 10 knows the password P, the network 10 
protocol. The authorizing information is sent over a secure calculates (P mod p) and extracts (g'R^ mod P) from 
communication channel. By adding the password to the ((g^A/+P) mod p). After generating a random number R„, 
respective exponentials, less information on the password the network 10 calculates (g'R^ mod p)^ which equals 
leaks and the computation becomes more efficient. 30 fe~ R /* R " mod P)- ^ network 10 selects (gT^R* mod p), 
The secure communication channel is also used in other the hash thereof > or a P ortion thereof as a session ke y SIC 
embodiments to verify a hash on at least one calculation For example, if incorporated in the IS41 protocol, the 64 
result sent between the parties. Unlike the password leasl significant bits of (g'R^R* mod p) would be selected 
protocol, however, the calculation results do not include the as a S&SS10Q kev SK - 

password. If the hash is verified, then a key is established 35 The network 10 then calculates and sends ((g^^P) mod 

using the calculation results sent between the parties. This P) t0 to mobile 20. The mobile 20, after extracting (g~R N 

verification process provides a measure of security prior to mod p), calculates (g'R N mod pTR M , which equals (g^R^Rjv 

establishing the key. mod P)* mobile 20 selects (g*R M R„ mod p), the hash 

The present invention has various applications including lhereof > or a P ortion thercof in tnc same manner as tne 

the wireless industry wherein the parties are a mobile user 40 network 10 as a session key SK. For example, if incorpo- 

and a network rated m tne P rotoc °l> me 64 least significant bits of 

(g'R^Rjv mod p) would be selected as a session key SK. 

BRIEF DESCRIPTION OF THE DRAWINGS 0nce the network 10 and the mobile 20 have the session 

The present invention will become more fully understood key SK, the session key SK is used as the A-key, and 

from the detailed description given below and the accom- 45 communication between the mobile 20 and the network 10 

panying drawings which are given by way of illustration is reconfigured using the A-key. 

only, wherein like reference numerals designate correspond- The over-the-air exchange according to the present inven- 

ing parts in the various drawings, and wherein: tion discussed above uses a password protocol (i.e., the 

FIG. 1 shows the communication between a network and transfers of ((g'R^+P) mod p) and ((g^^P) mod p) in FIG. 

a mobile according to the DifTe-Hellman key agreement; 50 3) which does not leak information to the degree that the 

FIG. 2 shows the communication between a network and DH-EKE protocol leaks information. Furthermore, this 

a mobile according to the Diffe-Hellman Encrypted Key password protocol is secure because removing the effect of 

Exchange protocol; the password does not reveal anything. R^ and R N are 

FIG. 3 shows the communication between a network and uniform random numbers, Raising them to g and then 

a mobile user via a tclcphonc/landline and a mobile accord- 55 reducing by mod p also results in uniform and random 

ing to a first embodiment of the present invention; numbers because of the permutation induced by exponen- 

FIG. 4 shows the communication between a network and Nation mod P- So ' addin S a P mod p to that number does not 

a mobile user via a telephone/land line and a mobile accord- chan & e the uniformity and randomness of the result. All 

ing to a second embodiment of the present invention; and numbers are equally likely, and removing the effects of other 

FIG. 5 shows the communication between a network and « passwords also creates equally likely numbers, so there is no 

a mobile user via a telephone/landline and a mobile accord- leakin £ of information. One skilled in the art will also 

ing to a third embodiment of the present invention. appreciate that the password protocol discussed above is not 

limited in application to the over-the-air exchange of infor- 

DETAILED DESCRIPTION OF THE mation. For example, this password protocol could be 

PREFERRED EMBODIMENTS 65 applied to entity authentication and session key agreement. 

'ITie system and method according to the present invention A second embodiment of the present invention will now 

for establishing a key using over-the-air communication will be described with respect to FIG. 4. FIG. 4 illustrates the 
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communication between the network 10 and a mobile user 
via the telephone/land line 30 and the mobile 20 according 
to a second embodiment of the present invention. As shown, 
via the telephone/land line 30 a mobile user provides the 
network 10 with authorizing information. If the network 10 
accepts the authorizing information, then when the mobile 
20 issues an initialization request as part of the mobile's 
initialization procedure, the initialization process will con- 
tinue. 

For example, the mobile 20 generates a random number 
R M , calculates (g"R M mod p), and sends an initialization 
request along with (gR M mod p) to the network 10. 

The network 10 generates a random number and sends 
(g'R^r mod p) to the mobile 20. 

Both the mobile 20 and the network 10 performs h((g"R N 
mod p), (g'Rjv/ mod p)), which is a collective hash on (g A R^ 
mod p) and (g"R M mod P) using the well-known Secure 
Hashing Algorithm (SHA). It should be noted, however, that 
any hashing algorithm can be used. The mobile 20 displays 
the results of the hash, and the mobile user, via the 
telephone/land line 30, gives the digits of the hash to the 
network 10. 

If the network 10 finds a match between the digits 
provided by the mobile user and the hash performed by the 
network 10, then communication is verified and the A-key is 
established as (g'R^Rjv mod p), the hash thereof, or a 
portion thereof. Namely, the mobile 20 will have established 
the A-key as such, but the network 10 will only associate this 
A-key with the mobile 20 if the hash is verified. 

As an alternative, or third embodiment, along with the 
authorizing information, the mobile user 20 supplies suffi- 
cient information (e.g., the mobile's identification number, 
etc.) to the network 10 such that the network 10 can contact 
the mobile 20 and send (g'R^ mod p) as an initial commu- 
nication. 

This third embodiment is subject to a birthday attack; 
namely, half as many attempts by a man-in-the-middle need 
to be made to attack this protocol than one would initially 
assume. However, according to an alternative of the third 
embodiment, if the hash is changed to h^g^R^ mod p), 
(g'R^ mod p), (g'Rjv/R^ mod p)), then the attack is signifi- 
cantly slowed because the attacker must do exponentiation 
along with the hashes. 

As another alternative to the third embodiment, the hash 
performed to verify communication between the mobile 20 
and the network 10 includes the identification number of the 
mobile 20. 

According to a further modification of the third embodi- 
ment (i.e., a fourth embodiment of the present invention), 
the mobile 20 does not send (g'R^ mod p) to the network 10, 
as shown in FIG. 4, until after receiving (g A R^ mod p) from 
the network 10. In the third embodiment, the man-in-the- 
middle attacker was able to see both (g*R^ mod p) and 
(g A R^ mod p), and thus exploit the birthday attack. Accord- 
ing to this fourth embodiment, the attacker has to commit to 
a (g A Ryv mod p) before the mobile 20 responds with a (g'R^ 
mod p). This reduces, by one, the attacker's degrees of 
freedom. 

FIG. 5 illustrates the communication between the network 
10 and a mobile user via the telephone/land line 30 and the 
mobile 20 according to a fifth embodiment of the present 
invention. As shown, via the telephone/land line 30 a mobile 
user provides the network 10 with authorizing information. 
As discussed above, along with the authorizing information, 
the mobile 20 can supply the network 10 with sufficient 
information (e.g., the mobile identifier, etc.) for the network 
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10 to make initial contact with the mobile 20. If the network 
10 accepts the authorizing information, then the initializa- 
tion process will continue. 

The initialization process continues with one of the 
mobile 20 and the network 10 sending an initialization 
request to the other party. 

For example, if the mobile 20 sends the initialization 
request, then the network 10 generates a random number R^, 
calculates (gR N mod p) and the hash of (g'R^ mod p), and 
sends h(g"R JV mod p) to the mobile 20. The mobile 20 
generates a random number R^, calculates (g^R^ mod p), 
and sends (g^R^ mod p) to the network 10. The network 10 
in return sends (g'Ryv mod p) to the mobile 20. 

Next, the mobile 20 calculates the hash of the received 
(g'Rjv mod p), and confirms whether this calculated version 
of h(g A R^ mod p) equals the version initially received from 
the network 10. If confirmed, the initialization process 
continues. 

Namely, both the mobile 20 and the network 10 perform 
h((g m °d p), h(g A R^ mod p)). The mobile 20 displays 
the results of the hash, and the mobile user, via the 
telephone/land line 30, gives the digits of the hash to the 
network 10. 

If the network 10 finds a match with the hash performed 
by the network 10, then communication is verified and the 
A-key is established as (g^R^R^r mod p), the hash thereof, 
or a portion thereof. Namely, the mobile 20 will have 
established the A-key as such, but the network 10 will only 
associate this A-key with the mobile 20 if the hash is 
verified. 

As discussed above, instead of the mobile 20 sending the 
initialization request, the network 10 sends the initialization 
request. If the network 10 sends the initialization request, 
then the mobile 20 generates a random number R^, calcu- 
lates (g~R M mod p), calculates the hash of (g'Rj^ mod p), and 
sends Kg^R^ mod p) to the network 10. The network 10 in 
return generates a random number R N , calculates (g~R N mod 
p) and sends (g'Rjv mod p) to the mobile 20. 

The mobile 20 sends (g'R^ mod p) to the network 10, and 
the network 10 calculates the hash of (g'Rj^ mod p). The 
network 10 then confirms whether the calculated version of 
h(g*R A/ mod p) equals the version initially received from the 
mobile 20. If equal, the initialization process continues. 

Namely, both the mobile 20 and the network 10 perform 
h((g "Rat moc * p), h(g*R A/ mod p)). The mobile 20 displays 
the results of the hash, and the mobile user, via the 
telephone/land line 30, gives the digits of the hash to the 
network 10. 

If the network 10 finds a match with the hash performed 
by the network 10, then communication is verified and the 
A-key is established as (g^R^R^ mod p), the hash thereof, 
or a portion thereof. Namely, the mobile 20 will have 
established the A-key as such, but the network 10 will only 
associate this A-key with the mobile 20 if the hash is 
verified. 

As a further alternative, the final hash performed to verify 
communication between the mobile 20 and the network 10 
includes the identification number of the mobile 20. 

A man-in-the-middle attacker cannot use a birthday type 
attack because when acting as the network 10 he has to 
commit to the exponential he is using (via the hash) before 
he sees the mobile users exponential. Similarly, the attacker, 
when acting as the mobile 20, has to commit to the expo- 
nential before the value of the network's exponential, asso- 
ciated with the hash, is revealed. 
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In some of the embodiments of the present invention, the 
prime number p and the generator g were assumed to be 
fixed and pre-stored in the mobile 20. However, if that is not 
the case, then the attacker can replace g and p with g' and p', 
which will allow the attacker to calculate the discrete 5 
logarithm efficiently. If g and p are also sent over the air then 
they should also be used as part of the hash calculation, 
h(g,p, (g A R M mod p),(g A R^ mod p)) in order to stop the 
substitution of g and p by the attacker. 

Furthermore, although each embodiment was described 10 
using a telephone/land line 30, other forms of secure com- 
munication could replace the telephone/land line 30. For 
instance, a previously activated mobile could replace the 
telephone/land line. Alternatively, but less secure, the 
telephone/land line communications could be performed 15 
over a voice channel between the mobile 20 and the network 
10, and the remaining communication would occur over a 
control channel between the mobile 20 and the network 10. 

The invention being thus described, it will be obvious that 
the same may be varied in many ways. Such variations are 20 
not to be regarded as a departure from the spirit and scope 
of the invention, and all such modifications are intended to 
be included within the scope of the following claims. 

We claim: 

1. A method of establishing a key at a first party using a 25 
password, comprising: 

(a) generating, at said first party, a first random number 

(b) producing a first calculation result by calculating 30 
((g'R^+P) mod p), where P is a password, p is a prime 
number, and g is a generator of a group generated by 
said prime number p; 

(c) sending said prime number p, said generator g, and 
said first calculation result to a second party; 35 

(d) receiving a second calculation result equal to ((g"R^+ 
P) mod p) from said second party, where R N is a second 
random number; and 

(e) establishing a key based on said second calculation 
result and said first random number. 40 

2. The method of claim 1, wherein said step (e) comprises: 
(el) calculating (P mod p); 

(e2) subtracting (P mod p) from said second calculation 
result of ((g A Rjv+P) mod p) to obtain (g'R^ mod p); and 4S 

(e3) establishing said key based on (g A Rjv mod p) and said 
first random number. 

3. The method of claim 1, wherein said first party is a 
mobile in a wireless system and said second party is a 
network. 50 

4. The method of claim 1, prior to said step (b), further 
comprising: 

(f) sending authorizing information over a secure com- 
munication channel to said second party; and 

(g) receiving said password from said second party over 55 
said secure communication channel if said second party 
accepts said authorizing information. 

5. The method of claim 4, wherein 

said first party is a mobile user in a wireless system and 6Q 

said second party is a network; and 
said secure communication channel is a land line. 

6. A method of establishing a key at a first party using a 
password, comprising: 

(a) receiving, at a first parly, a prime number p, a 65 
generator g of a group generated by said prime number 
p, and a first calculation result from a second party, said 
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first calculation result being a result of calculating 
((g A Rjv/+P) mod p), where P is a password and R^ is a 
first random number; 

(b) generating a second random number R^; 

(c) producing a second calculation result by calculating 
((g~IVP) mod p); 

(d) sending said second calculation result to said second 
parly; and 

(e) establishing a key based on said first calculation result 
and said second random number. 

7. The method of claim 6, wherein said step (e) comprises: 
(el) calculating (P mod p); 

(e2) subtracting (P mod p) from said first calculation 
result of ((g'R^P) mod p) to obtain (g^R^ mod p); and 

(e3) establishing said key based on (g'R^ mod p) and said 
second random number. 

8. The method of claim 6, wherein said first party is a 
network in a wireless system and said second party is a 
mobile. 

9. The melhod of claim 6, prior to said step (a), further 
comprising: 

(f) receiving authorizing information over a secure com- 
munication channel from said second party; and 

(g) sending said password to said second party over said 
secure communication channel if said authorizing 
information is acceptable. 

10. The method of claim 9, wherein 

said first party is a network in a wireless system and said 

second party is a mobile user; and 
said secure communication channel is a land line. 

11. A method of establishing a key at a first party, 
comprising: 

(a) generating, at said first party, a first random number 

Ri\fi 

(b) producing a first calculation result by calculating 
(%R M mod p), where p is a prime number, and g is a 
generator of a group generated by said prime number p; 

(c) sending said first calculation result to a second party; 

(d) receiving a second calculation result equal to (g"R N 
mod p) from said second party, where R N is a second 
random number; 

(e) calculating a first hash of at least said first calculation 
result; 

(f) sending said first hash to said second party over a first 
secure communication channel; and 

(g) establishing a key based on said first random number 
and said second calculation result. 

12. The method of claim 11, further comprising: 

(h) sending authorizing information to said second parly 
over a second secure communication channel; and 
wherein 

said step (d) receives said second calculation result if said 
authorizing information is acceptable to said second 
party. 

13. The method of claim 12, wherein 

said step (h) sends an identifier for said first party along 

with said authorizing information; and 
said step (d) is performed one of prior to and concurrent 

with said step (c). 

14. The method of claim 13, wherein said step (c) is not 
performed until after said step (d). 

15. The method of claim 14, wherein 

said step (h) sends an identifier for said first parly along 
with said authorizing information; and 
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said step (e) calculates said first hash as a hash of at least 
said first calculation result and said identifier for said 
first party. 

16. The method of claim 14, wherein said step (e) 
calculates said first hash as a hash of said first and second 
calculation results and (g A R^ mod p)*!^. 

17. The method of claim 11, wherein said step (e) calcu- 
lates said first hash as a hash of at least said first and second 
calculation results. 

18. The method of claim 11, wherein said first party is a 
mobile user in a wireless system and said second party is a 
network. 

19. A method of establishing a key at a first party, 
comprising: 

(a) receiving a first calculation result from a second party, 
said first calculation result being a result of calculating 
(g'R^ mod p) where is a first random number, p is 
a prime number, and g is a generator of a group 
generated by said prime number p; 

(b) generating a second random number 

(c) producing a second calculation result by calculating 
(g-R^ mod p); 

(d) sending said second calculation result to said second 
party; 

(e) calculating a first hash of at least said first calculation 
result; 

(f) receiving a second hash from said second party over a 
first secure communication channel; 

(g) verifying said second party based on said first and 
second hashes; and 

(h) establishing a key based on said second random 
number and said first calculation result if said second 
party is verified. 
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20. The method of claim 19, further comprising: 

(i) receiving authorizing information from said second 
party over a second secure communication channel; 
and wherein 

said step (d) sends said second calculation result to said 
second parly if said authorizing information is accept- 
able. 

21. The method of claim 20, wherein 

10 said step (i) receives an identifier for said second party 
along with said authorizing information; and 
said step (d) is performed one of prior to and concurrent 
with said step (a). 
15 22, The method of claim 21, wherein said step (a) is not 
performed until after said step (d). 

23. The method of claim 22, wherein 

said step (i) receives an identifier for said second party 
20 along with said authorizing information; and 

said step (e) calculates said first hash as a hash of at least 

said first calculation result and said identifier for said 

second party. 

24. The method of claim 22, wherein said step (e) 
25 calculates said first hash as a hash of said first and second 

calculation results and (g'R^ mod p) A R,y. 

25. The method of claim 19, wherein said step (e) 
calculates said first hash as a bash of at least said first and 
second calculation results. 

30 26, The method of claim 19, wherein said first party is a 
network in a wireless system and said second party is a 
mobile user. 

***** 
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